1381191964 J * thierryp_ ~thierry@home.parmentelat.net 1381192315 Q * thierryp Ping timeout: 480 seconds 1381196393 M * Bertl off to bed now ... have a good one everyone! 1381196397 N * Bertl Bertl_zZ 1381196578 Q * thierryp_ Remote host closed the connection 1381196599 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:d5e1:68e5:957c:373d 1381197084 Q * thierryp Ping timeout: 480 seconds 1381198431 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:3cf6:985c:a22c:6b75 1381199154 Q * thierryp Ping timeout: 480 seconds 1381202064 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:6d42:7a4d:1f62:d192 1381202436 Q * Romster Read error: Connection reset by peer 1381202549 Q * thierryp Ping timeout: 480 seconds 1381203926 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:903e:7a41:e93a:5525 1381204409 Q * thierryp Ping timeout: 480 seconds 1381205497 J * paradigm-X ~username@pool-71-170-154-175.dllstx.fios.verizon.net 1381206001 M * paradigm-X On a machine with two physical network adapters on different subnets, I have installed a vserver guest to use two different interfaces, one for each of the subnets. The vserver guest networking interfaces work fine, as intended. Something curious happened with the hosts networking, which I am not sure should be happening in this way... 1381206206 M * paradigm-X The vserver host system was configured to use only one of these two interfaces. I could see that only one of them was up in ifconfig. However, just as soon as I activated the guest's two interfaces, when it was started, then the second interface on the host appeared to come up as well, and it appeared to assume the same IP address as the guest. 1381206407 M * paradigm-X Because this adapter was showing UP and using the guest's IP address, which was not desirable, it was necessary for me to go ahead and give the second adapter in the host its own settings, different from those of the guest, so that it would not intrude or listen to the guest's activity. 1381206419 M * paradigm-X What am I missing in this picture? 1381207368 Q * paradigm-X Ping timeout: 480 seconds 1381207610 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:d96d:8195:3f41:d291 1381208094 Q * thierryp Ping timeout: 480 seconds 1381211507 J * thierryp ~thierry@home.parmentelat.net 1381212005 Q * thierryp Ping timeout: 480 seconds 1381213369 J * thierryp ~thierry@home.parmentelat.net 1381213853 Q * thierryp Ping timeout: 480 seconds 1381213995 J * thierryp ~thierry@home.parmentelat.net 1381214164 J * thierryp_ ~thierry@2a01:e35:2e2b:e2c0:b036:90d6:279b:69da 1381214164 Q * thierryp Read error: Connection reset by peer 1381214546 J * Ghislain ~aqueos@adsl1.aqueos.com 1381216117 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com 1381217184 N * Bertl_zZ Bertl 1381217188 M * Bertl morning folks! 1381217279 M * arekm Bertl: are there any vserver update plans for 3.12? 1381217423 M * Bertl yes 1381217448 M * arekm hehe, shocking and good news :-) 1381218423 J * beng_ ~BenG@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com 1381219858 M * Ghislain hello there, is there a reason for a program to work in the host context and not work in the context 1 ? 1381220849 M * Ghislain iotop work in host context but fail tailling me i do not have CONFIG_VM_EVENT_COUNTERS in context 1. Perhaps because i have guest privacy on ? 1381220875 M * Ghislain i start to wonder if there is any good in using this option if this is it :) 1381221241 M * daniel_hozac guest privacy really has no benefits other than limiting the host's ability to investigate the guest. 1381221401 M * Bertl which is the whole idea :) 1381221566 M * daniel_hozac that error sounds more like you are missing something from proc though 1381221576 M * daniel_hozac probably a setattr would get you up and running. 1381222000 M * Bertl off for now ... bbl 1381222004 N * Bertl Bertl_oO 1381222820 Q * ensc|w Remote host closed the connection 1381222828 J * ensc|w ~ensc@62.153.82.27 1381222903 M * Ghislain ok, will look into it thanks daniel 1381225599 Q * thierryp_ Remote host closed the connection 1381229942 Q * ircuser-1 Ping timeout: 480 seconds 1381232498 J * ircuser-1 ~ircuser-1@35.222-62-69.ftth.swbr.surewest.net 1381233917 Q * fback Read error: No route to host 1381234125 J * fback fback@red.fback.net 1381236582 J * padde_ ~padde@patrick-nagel.net 1381236583 J * bzed_ ~bzed@bzed.netrep.oftc.net 1381236589 J * cuba33ci_ ~cuba33ci@114-36-235-14.dynamic.hinet.net 1381236614 J * geb_ ~geb@mars.gebura.eu.org 1381236634 J * Ghislain1 ~aqueos@adsl1.aqueos.com 1381236663 J * clopez_ ~tau@neutrino.es 1381236767 Q * Ghislain resistance.oftc.net oxygen.oftc.net 1381236767 Q * cuba33ci resistance.oftc.net oxygen.oftc.net 1381236767 Q * ex resistance.oftc.net oxygen.oftc.net 1381236767 Q * geb resistance.oftc.net oxygen.oftc.net 1381236767 Q * padde resistance.oftc.net oxygen.oftc.net 1381236767 Q * Rockj resistance.oftc.net oxygen.oftc.net 1381236767 Q * sladen resistance.oftc.net oxygen.oftc.net 1381236767 Q * disposable resistance.oftc.net oxygen.oftc.net 1381236767 Q * clopez resistance.oftc.net oxygen.oftc.net 1381236767 Q * arekm resistance.oftc.net oxygen.oftc.net 1381236767 Q * mnemoc resistance.oftc.net oxygen.oftc.net 1381236767 Q * bzed resistance.oftc.net oxygen.oftc.net 1381236767 Q * DLange resistance.oftc.net oxygen.oftc.net 1381236768 N * bzed_ bzed 1381236772 N * padde_ padde 1381236772 N * cuba33ci_ cuba33ci 1381236776 N * clopez_ clopez 1381237011 J * ex ~ex@valis.net.pl 1381237011 J * Rockj rockj@hodge.geekrevolution.net 1381237011 J * sladen ~paul@starsky.19inch.net 1381237011 J * arekm ~arekm@000161e0.user.oftc.net 1381237011 J * disposable disposable@shell.websupport.sk 1381237011 J * mnemoc ~amery@geeks.cl 1381237011 J * DLange ~DLange@dlange.user.oftc.net 1381239304 N * transaci1 transacid 1381239400 Q * cuba33ci Remote host closed the connection 1381239415 J * cuba33ci ~cuba33ci@114-36-235-14.dynamic.hinet.net 1381241497 Q * beng_ Quit: I Leave 1381241593 J * paradigm-X ~username@pool-71-170-154-175.dllstx.fios.verizon.net 1381242326 M * paradigm-X On a machine with two physical network adapters on different subnets, I have installed a vserver guest to use two different interfaces, one for each of the subnets. The vserver guest networking interfaces work fine, as intended. Something curious happened with the hosts networking, which I am not sure should be happening in this way... 1381242341 M * paradigm-X The vserver host system was configured to use only one of these two interfaces. I could see that only one of them was up in ifconfig. However, just as soon as I activated the guest's two interfaces, when it was started, then the second interface on the host appeared to come up as well, and it appeared to assume the same IP address as the guest. 1381242358 M * paradigm-X Because this adapter was showing UP and using the guest's IP address, which was not desirable, it was necessary for me to go ahead and give the second adapter in the host its own settings, different from those of the guest, so that it would not intrude or listen to the guest's activity. 1381242383 M * paradigm-X What am I missing in this picture? 1381242422 M * Bertl_oO that this is exactly how it is supposed to be :) 1381243186 M * paradigm-X Bertl_oO: hello. When I read the section called "Enhancing Security" on this page, http://linux-vserver.org/Usage_Scenarios, and, in particular, this sentence, "The goal is isolate the main environment from any service, any network." 1381243225 M * paradigm-X "You boot in the main environment, start very few services and then continue in the virtual server." 1381243302 M * paradigm-X It is with this goal implied by the section "Enhancing Security", that I intend to make use of the vserver programs. 1381243314 M * Bertl_oO correct, emphasis on isolation, i.e. separating inside from outside not virtualization 1381243381 M * Bertl_oO so for example, networking happens on one stack (by default) which is the same for host and all guests, but inside a guest, you only see those network elements which are somehow related to your guest 1381243393 M * paradigm-X How is my vserver host isolated from the guest if it cannot avoid making use of the network? 1381243439 M * Bertl_oO the host is the admin context and it has control over all the networking 1381243482 M * Bertl_oO the guests are in isolation and e.g. only see interfaces carrying an IP assigned to that guest 1381243512 M * paradigm-X that part I understand clearly enough, thanks. 1381243529 M * Bertl_oO okay, so what is it that confuses you? 1381243667 M * paradigm-X Maybe, I should get some clarification on what this statement meant exactly on that same page: "The service in the main environment would be: 1. Unreachable from the network." 1381243693 M * daniel_hozac it all depends on how you set it up 1381243742 M * paradigm-X Hi, daniel. Are you referring to my statement? 1381243833 M * daniel_hozac yes 1381244075 M * paradigm-X Since you no doubt have a better understanding of this program than I do at this point, would you care to explain more precisely what you mean beyond "It depends.."? That leaves me without much to go on. :) 1381244119 M * Bertl_oO maybe start with describing what you want to achieve 1381244136 M * Bertl_oO (i.e. what is the goal) 1381244167 J * BenG_ ~bengreen@bmex-gw.bristolwireless.net 1381244326 M * paradigm-X Can we start with defining "main environment" from this sentence: "The goal is isolate the main environment from any service, any network". I am not referring to semantics, only to general idea of which main environment would be unreachable? 1381244380 M * paradigm-X That is my goal, and I need to understand what you meant by that statement. 1381244445 M * daniel_hozac your goal is to understand a sentence? 1381244465 M * paradigm-X It depends. 1381244526 M * daniel_hozac if you start no services on the host, it will have nothing to make it reachable over the network. 1381244529 M * Bertl_oO I have no idea where this sentence was taken from, but when I put it in relation to Linux-VServer, it clearly means that you can move host services away from the 'main environment' into guests, where they are isolated, thus increasing security 1381244546 M * paradigm-X http://linux-vserver.org/Usage_Scenarios 1381244638 M * Bertl_oO obviously that sentence was written by a non native speaker, which explains the bad wording 1381244711 M * Bertl_oO basically it means: move all services usually running on the host into separate guests, so that security is increased (because of limited capabilities) and attacks on the services won't compromise the host 1381244762 M * Bertl_oO also, services still running on the host should not be reachable from the outside, otherwise it would not make much sense 1381245026 J * thierryp ~thierry@home.parmentelat.net 1381245027 Q * thierryp Remote host closed the connection 1381245090 M * paradigm-X That was helpful clarification. Sometimes, as I read through the documentation, it is not clear from the context whether the writer intended "virtual server" to make reference to the host or guest. 1381245134 M * Bertl_oO yes, people usually have some problems with the nomenclature 1381245187 M * Bertl_oO we get everything from domain over container to vserver and unfortunately for both, host and guest :) 1381245213 M * paradigm-X For example, in that same section labeled "Enhancing Security" on that page, this sentence is not clear to me: "Able to log messages from the virtual server in a secure way. The virtual server would be unable to change/erase the logs. Even a cracked virtual server would not be able to edit the log." 1381245368 M * paradigm-X Do I understand that this program would allow the guest logs to be more secure from the guest itself, that it would be unable to changes these logs, and that even a cracked "guest" would not be able to edit the guest's log? 1381245531 M * Bertl_oO yes, for example by running an rsyslog server on the host and logging the information directly from guest to host 1381245549 M * Bertl_oO naturally those logs cannot be erased even if the guest is compromised 1381245930 M * paradigm-X So, in this context the cracked guest would mean one that was made to "give up" root access and privileges within the guest? It does not mean by cracked guest, one that unintentionally allowed access to the host environment. Is that right? 1381246151 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:b036:90d6:279b:69da 1381247780 Q * Ghislain1 Quit: Leaving. 1381247781 J * Ghislain ~aqueos@adsl1.aqueos.com 1381248266 Q * Ghislain Ping timeout: 480 seconds 1381248641 N * l0kit Guest1812 1381248648 J * l0kit ~1oxT@0001b54e.user.oftc.net 1381248843 J * bonbons ~bonbons@2001:a18:20f:4601:31ce:caae:8b7e:fbc 1381249046 Q * Guest1812 Ping timeout: 480 seconds 1381249993 Q * BenG_ Quit: I Leave 1381250802 M * Bertl_oO paradigm-X: yes, as it is rather unlikely to happen in a guest 1381251759 M * paradigm-X Bertl_oO: How is it decided which guest user ID should be used when the command is used to enter it, i.e., "vserver enter"? How can one affect which user enters? 1381251816 M * paradigm-X I don't see that indicated when I use "vserver --help". 1381251958 M * daniel_hozac it's root. always. 1381251974 M * daniel_hozac use ssh inside to login to a guest. 1381251997 M * daniel_hozac vserver ... enter is only a maintenance backdoor, much like a physical console on a server. 1381252061 M * paradigm-X daniel_hozac, and ssh is the only front door? 1381252087 M * Bertl_oO whatever service you install is your 'front door' 1381252101 M * Bertl_oO if you like telnet, then telnet it is :) 1381252189 M * paradigm-X there is no 'front door' at the console of the host? 1381252701 M * paradigm-X When I used Alt+F-# while on a terminal in the guest, the new terminal, to which I was prompted to logon, was one for the host access. Is there a way to access multiple terminals within a guest using Alt+F-#, or another such means? 1381252817 M * daniel_hozac no. 1381252861 M * daniel_hozac you could give the guest a tty and set it up to run a getty, but none of that is standard issue. 1381252880 M * paradigm-X thank you 1381253029 J * grembleb ~bengreen@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com 1381254742 Q * grembleb Quit: I Leave 1381257359 Q * arekm Remote host closed the connection 1381257877 J * arekm ~arekm@000161e0.user.oftc.net 1381258884 Q * eyck_ Remote host closed the connection 1381260704 J * eyck ~eyck@nat08.nowanet.pl 1381261179 J * hijacker_ ~hijacker@cable-84-43-134-121.mnet.bg 1381262503 Q * hijacker_ Quit: Leaving 1381263992 Q * paradigm-X Quit: leaving 1381265379 Q * bonbons Quit: Leaving 1381270123 Q * eyck Remote host closed the connection 1381271036 J * eyck ~eyck@nat08.nowanet.pl 1381271448 Q * thierryp Remote host closed the connection 1381271469 J * thierryp ~thierry@2a01:e35:2e2b:e2c0:b036:90d6:279b:69da 1381271954 Q * thierryp Ping timeout: 480 seconds